A full 56% of cybersecurity pros surveyed by the Information Systems Audit and Control Association (ISACA) say that today’s cyber workers tend to lack soft skills that include written communications, the ability to make presentations, and work with a team.
“Grit and perseverance are really important to me,” said Gregory Touhill, director of the CERT Division at the Software Engineering Institute at Carnegie Mellon University. Touhill was also named the first-ever federal CISO during the Obama administration and serves as an ISACA board member.
“We look for people with the right attitude, people who can be dynamic, and are eager to better themselves and eager to learn,” he said. “They also have to work within a team. When they are going on an incident response, these are often ad-hoc teams that include a database administrator, networking person, a supervisor and other security specialists.”
Touhill made his comments during a session this morning at the RSA Conference on closing the cybersecurity workforce gap moderated by Jonathan Brandt, ISACA’s information security professional practice lead. Brandt and Touhill were joined on the panel by Caitlin McGaw, founder and CEO of McGaw Candor.
Click here for more coverage of the 2021 RSA Conference.
McGaw, who manages a recruiting practice, added that she looks for people with what she calls “emotional intelligence” as opposed to just looking at an applicant’s technical achievements and certifications.
“Very often hiring managers will focus on getting people to talk about their technical attributes, but they also need to ask more probing questions to learn more about how the candidate manages their emotions and how they will resolve conflicts. We need to find out about a person’s optimism, how determined they are and if they can really stick it out when presented with the tough kinds of problems security people face every day.”
Touhill said that security people can take different paths to enter the field. He said some of the best cyber people he hired when he was with the military were people who served as Air Force security police officers. Touhill also said people from the information management group also understand an IT culture and with the added technical skills did very well in the cyber field, as do former auditors and controllers.
“Auditors and controllers spend a lot of time doing business process analysis, so once you add technical skills, watch out, they are very effective,” Touhill said.
McGaw added that people with marketing and public relations background also do well in cyber, and that engineers and logistics people have also made the transition into cybersecurity.
“The main thing is for organizations to have a welcoming culture and to seek out diversity in terms of ethnicity, gender and people’s backgrounds,” she said. “For those coming out a university program who may not have the soft skills, there are ways to gain them. Teach computer literacy in the community, or volunteer at one of the computer industry trade associations. Anything where you have to deal with people and solve problems.”